History of DMARC
Now, though, DMARC is supported by all major mailbox providers and is key in both protecting email from malicious activity and improving deliverability. While DMARC is universally recommended for email marketers across all industries, it’s not widely adopted due to its complexity and tiered approach to implementation.
How does DMARC work?
Alignment ensures there is no spoofing of a critical authentication signal: the “header from” address. DMARC alignment indicates the “header from” domain name matches the “envelope from” domain, as determined by an SPF check. This is how DMARC builds on the basic security of SPF.
Then, DMARC verifies if the “header from” domain matches the “d= domain” in the DKIM signature. That’s where DKIM plays its role.
Putting this all together, in order to pass DMARC authentication, a message is required to pass SPF authentication and prove SPF alignment, plus DKIM authentication and DKIM alignment. If it fails both signals of alignment, the message fails.
Who can use DMARC?
Once you have SPF and DKIM records for your domain published to the DNS, you can begin using DMARC. While it takes some up-front work to qualify for DMARC, there aren’t any disqualifiers beyond an actionable willingness to protect your email.
Mitigate the impact of spoofing with DMARC
Because DMARC is more powerful than basic authentication standards like SPF and DKIM.
Monitor policy: p=none
Lots of email marketers implement p=none and leave it at that, assuming this level of protection is adequate enough. However, without providing instruction to the receiving server, you don’t have any control over the handling of failed messages and you don’t provide any interference in the potential delivery of malicious mail.
Quarantine policy: p=quarantine
Going one step further from p=none, you can instruct MBPs to segregate mail failing DMARC from those that don’t. This is a quarantine policy indicated by a p=quarantine in your DMARC record. While you have to begin your DMARC journey with p=none, p=quarantine is the next escalation activity in truly protecting your recipients from possibly harmful communication from your brand.
After the receiving server checks the DMARC record to confirm alignment, it will follow the next course of action determined by your policy. With p=quarantine, mailbox providers will follow your direction and filter the mail into a quarantine or spam folder.
This step is very important in keeping phishing and spoofing scams away from your recipients. By protecting message recipients you better protect your brand from reputation damage and negative impacts on your email deliverability as a whole.
It’s also worth noting, once you implement a p=quarantine policy, you’re at DMARC “enforcement.” This means you’re eligible to use BIMI, an email specification that allows brand logos to display within the inbox of supporting email clients.
Reject policy: p=reject
This level means you’ve taken every step available to make your DMARC record work for you. The reject policy allows monitoring for illegitimate or harmful mail, handling it definitively by refusing it, and reporting back to you on this activity every day.
Surprisingly, adoption of DMARC itself is relatively low, and for marketers using it, few are using it at p=reject.
Learn more about DMARC, the value it provides, and the requirements to begin your implementation.
Why use DMARC for email?
While monitoring email performance is important for all email marketers, it’s also important to understand how your brand is being used in the ecosystem. Can you confirm there is no unauthorized mail originating from your domains? With DMARC, you get insight into not only performance, but actual activity from your domains. If you’re using DMARC at enforcement, you can be more assured any malicious mail potentially coming from your domain is automatically being rerouted away from your recipients.
What does a DMARC record look like?
DMARC records don’t need to be intimidating.
There are specific components to understand to make building a DMARC record easier. First, DMARC code relies on tags. Tags are how it speaks to the receiving mail server. Only two are required.
- v: Version. This identifies the TXT record as DMARC, making it distinguishable from other TXT records. It needs to have a value of “DMARC1” and must be listed as the first tag in the whole record. Without the tag listed first or the value equaling DMARC1, the receiver will simply ignore it.
- p: Requested Mail Receiver Policy. This is where your policy level matters. Your DMARC record must include a p= value so the receiver knows what actions to take when running the DMARC check. You can have p=none, p=quarantine, or p=reject.
If you’d like subdomains to have a different enforcement policy than your top-level domain, you can designate that within the record. For instance, validity.com should be at reject but store.validity.com should be at none. The record would read “v:DMARC1; p=reject; sp=none” to properly apply the policies. P indicates the primary policy and sp designates the subdomain policy.
Within the record, you can designate where to send your DMARC reports, both aggregate and forensic.
There are several other tags you can use in your record to change default values assumed when the server is checking for DMARC alignment. These don’t need to be manipulated, but you can if you want a more customized report.
What do DMARC reports look like?
Automate your DMARC reporting with Everest to quickly identify and respond to issues that could cause significant damage.
As you can imagine, every authentication failure could begin to pile up. After you’re comfortable with your aggregate reports, you might want to only enable reports when a spoofed email is detected.
Biggest misunderstanding about DMARC
DMARC is not a quick deliverability fix
You will also benefit from the decrease in incidences of SPF and DKIM failures because the only mail coming from your domains can be verified on your end as legitimate. A steady stream of threat-free email is always a boon to your email reputation, and your delivery rates should improve along with the trend.
A smart early step in troubleshooting DMARC is to confirm the record is configured properly. If you can verify there are no problems with the record itself, move on to analyzing your SPF and DKIM records. Remember, DMARC checks for alignment for both SPF and DKIM.
You should also check your email headers to understand whether or not they’re passing SPF and DKIM. If there are issues there, you don’t truly have a DMARC problem.
Do I need DMARC?
Can I set up DMARC by myself?
What if I don’t use DMARC?
Discover how Everest can help you set up and monitor proper email authentication to keep your program safe and secure.